For example, if you stored the variable created by the last example above in a file called ‘vars.yml’, you could view the unencrypted value of that variable like this:Īnsible Vault uses an editor to create or modify encrypted files. You must pass the password that was used to encrypt the variable. You can view the original value of an encrypted variable using the debug module. Encrypted variables are larger than plain-text variables, but they protect your sensitive content while leaving the rest of the playbook, variables file, or role in plain text so you can easily read it. You can add the output from any of the examples above to any playbook, variables file, or role for future use. To create a basic encrypted variable, pass three options to the ansible-vault encrypt_string command: The ansible-vault encrypt_string command encrypts and formats any string you type (or copy or generate) into a format that can be included in a playbook, role, or variables file. If you want to encrypt tasks or other content, you must encrypt the entire file. Also, variable-level encryption only works on variables. However, password rotation is not as simple as with file-level encryption. You can mix plaintext and encrypted variables, even inline in a play or role. With variable-level encryption, your files are still easily legible. Advantages and disadvantages of encrypting variables For one way to keep your vaulted variables safely visible, see Keep vaulted variables safely visible. You can encrypt single values inside a YAML file using the ansible-vault encrypt_string command. Encrypting individual variables with Ansible Vault This table shows the main differences between encrypted variables and encrypted files:Īnsible cannot know if it needs content from an encrypted file unless it decrypts the file, so it decrypts all encrypted files referenced in your playbooks and roles. For more details about the encryption process and the format of content encrypted with Ansible Vault, see Format of files encrypted with Ansible Vault. Encrypted content created with -vault-id also contains the vault ID label. Encrypted content always includes the !vault tag, which tells Ansible and YAML that the content needs to be decrypted, and a | character, which allows multi-line strings. You can encrypt two types of content with Ansible Vault: variables and files. Once you have a strategy for managing and storing vault passwords, you can start encrypting content.
0 Comments
Leave a Reply. |